5 Reasons Your Security Program is a Failure

February 14th, 2010

So, much like any other security consultant, I see a lot of the same things across organizations with regard to information security. Some good, some not so good, some horrifying. Here’s a succinct list of the top 5 things I see consistently which I believe contributes to infosec program suckage.

Politics: If the security organization is impotent due to political issues, and has no a) budget, b) support from executives and business unit management, and c) plan, it is very likely doomed to failure.

Lack of monitoring capabilities: We need more eyes and ears. From NIDS to HIDS to File Integrity Monitoring to Network Flow Analysis to Log Management, we need a better approach to what is happening in the environment. Not only that, but too many organizations buy stuff and forget about it – if you don’t have daily SOPs around your monitoring tools and capabilities, you will end up with shelfware, and that just sucks.

Lack of technical skills: Way too many infosec folks are happy to slap that “CISSP” on their business cards or email signatures. Great. Can you actually DO anything though? I truly feel that a base skillset for anyone in infosec operations has to include some scripting, firewall and router ACL creation and management, a grasp on scanning and vulnerability management, patching and configuration management skills, reading and understanding packets, and responding to incidents. Sure, there are specialties. But who gives a $*@ about your cutting edge Appsec skills when no one on the team can even lock down a box appropriately? C’mon. And you managers who hide behind “policy” and “governance” and go to 10 meetings a day to keep looking busy? Heh – chances are you suck. The day is coming when you will, and should be, obsolete. Yeah, we’re all trying to be better “business people”, but you still need to have a technical skill set to even PRETEND to keep up with this game.

Focus on the “cutting edge”: Got Web app firewalls? DLP? Awesome! But if you have no system hardening program, or lack a robust patch management process, you are really missing the boat. It’s been consistently proven that the basics like patching and config management, when implemented and maintained rigorously, could have stopped a vast percentage of data breaches. One exception – the time for whitelisting has come. Death to blacklist AV!

Managing to compliance: Sad to say, but I have seen this really emerge in the last 3-4 years. Organizations are stopping at the check box. And that’s a tragedy, since we all know that compliance != security. I say that with a hint of sarcasm, since it’s pretty damn obvious that we all DON’T know this, or people wouldn’t be doing things this way.

Not a complete list, at all. Just the major things I see consistently across organizations in pretty much every vertical.

You hit all five square on the head… since I’ve come into my organization I have worked on shifting the focus on 2, 3, and 4. However, 1 and 5 are deep seeded cultural issues that are much harder to tackle. Patience, common sense, and a good data-centric security architecture is the only way to take on all of the issues you named.